Hi, I was wondering if anyone has experience with running MongoDB with data stored on an encrypted filesystem vs using the MongoDB Enterprise encrypted storage engine. I’m particularly interested in any performance or operations pros/cons. Would they both be expected to have similar performance overhead?
Hi @AmitG,
I don’t have a performance comparison to offer based on direct experience (and I expect actual outcomes would be heavily influenced by your workload and deployment resources), however some general points to consider are:
-
LUKS is full disk encryption, so will add overhead for all file access on encrypted volumes.
-
MongoDB Enterprise’s encrypted storage engine only affect data files used by MongoDB processes.
-
MongoDB data files using the default storage engine will not by encrypted if copied from a LUKS volume to another standard volume (eg for backup).
-
MongoDB data files encrypted by the MongoDB Encrypted Storage Engine will always remain encrypted.
-
Encryption at rest is only one of the recommended security measures – see the MongoDB Security Checklist for more recommendations. MongoDB Enterprise Advanced includes additional security features (auditing, Kerberos/LDAP auth, support for automatic Queryable Encryption, …) as well as operational tools like Ops Manager.
I suspect targetted in-process encryption with the MongoDB Encrypted Storage Engine will be more efficient than LUKS, but for either approach you can address deployment resources needed for your performance targets as part of your capacity planning.
Regards,
Stennie